News has arrived of yet another lost laptop, this time one belonging to Florida’s Department of Transportation which resulted in the personal records of a reported 133,000 pilots and drivers being put at risk.
The disk wasn’t encrypted – it never is in these cases. It is one of those mysteries that you never hear of disks that *have* been encrypted going missing, which would at least be a security triumph of a sort.
But do the rules on data disclosure in these cases actually cause more problems that they solve?
A laptop goes missing, the fact that this has happened is written up in painful detail all over the Internet often within days, and the thieves learn that they have something more valuable than a second-hand laptop on their hands. Private data like this sells at rates well above the value of any laptop after all.
These reports give the thieves enough information to identify a machine, work out what if any security is on the machine to help assess whether a hack is worthwhile pursuing, and the lure of knowing what is stored.
Surely an important weapon in stopping data theft of such devices is the one that people rarely think about – obfuscation. By all means put barriers in the way of data retrieval such as encryption, but why not simply try to make the laptop itself look as innocent as possible? There could also be a minimum disclosure period set on alerting the public about theft of three weeks.
Laptops are overwhelmingly stolen for their hardware value, but that is surely changing with every disclosure report, and the emergence of a third-party criminal market for stolen information.
Contrary to conventional wisdom, the speedy reporting of these thefts in the interests of accountability and personal rights isn’t necessarily helping make data more secure at all.